The Defense Intelligence Agency Web site, until earlier this week, exposed job applicants to potential privacy and security risks because it included a link to JavaScript code hosted on a third-party Web site.
While there's no evidence that the site leaked personal information, the presence of a call to execute JavaScript code that resides on a Statcounter.com server in Ireland provided a weak link in the security chain that could have been exploited to provide potentially valuable foreign intelligence about future DIA personnel.
Security researcher Bipin Gautam sent an e-mail to the Full Disclosure security mailing list earlier this week outlining his concerns.
In a follow-up e-mail to InformationWeek, he explained the issue. "If a Web site includes third-party JavaScript like stat counters, advertisement scripts, [or] banners called from third-party servers, the Web site is at risk of having to rely on the third party as well for overall security assurance of its Web site," he said.
[..]